CEH v5 Module 10 Session Hijacking PDF

Ethical Hacking
Version 5
Module X
Session Hijacking
Scenario
Daniel is working as a web designer at Xeemahoo Inc., a
news agency. His daily job is to upload the html files to
the website of the news agency.
Xeemahoo Inc. hires a new web-hosting agency
AgentonWeb, to host its website.
One day, while checking for the uploaded news section,
Daniel was shocked to see the wrong information posted
on Xeemahoos website.
How did the wrong information get posted?
Is there a problem in the configuration of the web
server?
EC-Council
Copyright by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
~
Session Hijacking
Difference between Spoofing and Hijacking
Steps to Conduct a Session Hijacking Attack
Types of Session Hijacking
Performing Sequence Number Prediction
TCP/IP Hijacking
Session Hijacking Tools
Countermeasures to Session Hijacking
EC-Council
Module Flow
EC-Council
Session Hijacking
Sequence Number
Prediction
Spoofing vs. Hijacking
TCP/ IP Hijacking
Session Hijacking Steps
Session Hijacking Tools
Types Of Session Hijacking
Countermeasures
What is Session Hijacking?

~
TCP session hijacking is when

a hacker takes over a TCP
session between two machines
Since most authentication

only occurs at the start of a
TCP session, this allows the
hacker to gain access to a
machine
EC-Council
Understanding Session Hijacking

~
Understanding the flow of

message packets over the
Internet by dissecting the TCP
stack
Understanding the security

issues involved in the use of
IPv4 standard
Familiarizing with the basic

attacks possible due to the
IPv4 standard
EC-Council
Spoofing vs. Hijacking

~
In a spoofing attack, an attacker does not actively take

another user offline to perform the attack
He pretends to be another user, or machine to gain access
John (Victim)
ls
nd ti a
a
n
hn de
Jo cre
m y
Ia em
r
ea
r
he
EC-Council
Attacker
Server
Spoofing vs. Hijacking (contd)

~
With a hijacking, an attacker takes over an existing

session, which means he relies on the legitimate user to
make a connection and authenticate
Subsequently, the attacker takes over the session

John (Victim)
John logs on to the server

with his credentials
d
an
P
I
ns sion
h
s
Jo
fs he se
o
o
sp cks t
P
AR hija
Attacker predicts the sequence and

kills Johns connection
EC-Council
Attacker
Server
Steps in Session Hijacking

1.
Place yourself between the victim and the

target (you must be able to sniff the
network)
2.
Monitor the flow of packets
3.
Predict the sequence number
4.
Kill the connection to the victims machine
5.
Take over the session
6.
Start injecting packets to the target server
EC-Council
Types of Session Hijacking

There are two types of session hijacking attacks:
~
Active
In an active attack, an attacker finds an active session and

takes over
Passive
With a passive attack, an attacker hijacks a session, but sits

back, and watches and records all the traffic that is being sent
forth
EC-Council
The 3-Way Handshake

SYN
Seq.:4000
SYN/ACK
Seq:7000, Ack: 4001
ACK
Seq: 4002Ack :7001
Bob
Server
If the attacker can anticipate the next SEQ/ACK number Bob will
send, he will spoof Bobs address and start a communication with the
server
EC-Council
TCP Concepts 3-Way Handshake

1.
Bob initiates a connection with the server. Bob sends a packet to the
server with the SYN bit set
2.
The server receives this packet and sends back a packet with the SYN
bit and an ISN (Initial Sequence Number) for the server
3.
Bob sets the ACK bit acknowledging the receipt of the packet and
increments the sequence number by 1
4.
The two machines have successfully established a session
EC-Council
Sequence Numbers
~
Sequence numbers are important in providing a reliable

communication and are also crucial for hijacking a
session
Sequence numbers are a 32-bit counter. Therefore, the

possible combinations can be over 4 billion
Sequence numbers are used to tell the receiving

machine what order the packets should go in, when they
are received
Therefore, an attacker must successfully guess the

sequence numbers in order to hijack a session
EC-Council
Sequence Number Prediction

~
After a client sends a connection request (SYN) packet to the

server, the server will respond (SYN-ACK) with a sequence number
of choosing, which then must be acknowledged (ACK) by the client
This sequence number is predictable; the attack connects to a

server first with its own IP address, records the sequence number
chosen, then opens a second connection from a forged IP address
The attack doesn't see the SYN-ACK (or any other packet) from the
server, but can guess the correct response
If the source IP address is used for authentication, then the

attacker can use the one-sided communication to break into the
server
EC-Council
TCP/IP Hijacking
~
TCP/IP hijacking is a hacking technique that

uses spoofed packets to take over a connection
between a victim and a target machine
The victim's connection hangs, and the hacker

is then able to communicate with the host
machine as if the attacker were the victim
To launch a TCP/IP hijacking attack, the

hacker must be on the same network as the
victim
The target and the victim machines can be

anywhere
EC-Council
TCP/IP Hijacking
Source: 10.1.0.100
Destination: 10.1.0.200
Seq#: 1429775000
Ack#: 1250510000
Len: 24
Source: 10.1.0.200
Seq#: 1250510000
Ack#: 1429775024
Len: 167
Computer A
2
3
Computer B
Source: 10.1.0.100
Seq#: 1429775024
Ack#: 1250510167
Len: 71
EC-Council
Hacker
RST Hijacking
~
RST hijacking involves injecting an authentic-looking

reset (RST) packet
Spoof the source address and predict the

acknowledgment number
The victim will believe that the source actually sent the
reset packet and will reset the connection
RST Packet
Spoofed Source Address with
predicted ACK number
EC-Council
Connection Reset
RST Hijacking Tool: hijack_rst.sh
# ./hijack_rst.sh
EC-Council
Programs that Perform Session

Hijacking
There are several programs available
that perform session hijacking
The following are a few that belong in
this category:
Juggernaut
Hunt
TTY Watcher
IP Watcher
T-Sight
Paros HTTP Hijacker
EC-Council
Hacking Tool: Juggernaut

~
Juggernaut is a network sniffer that can be used

to hijack TCP sessions. It runs on Linux
operating systems
Juggernaut can be set to watch for all network

traffic, or it can be given a keyword (e.g. a
password ) to look out for
The objective of this program is to provide

information about ongoing network sessions
The attacker can see all of the sessions and

choose a session to hijack
EC-Council
Hacking Tool: Hunt

~
Hunt is a program that can

be used to listen, intercept,
and hijack active sessions on
a network
Hunt offers:
Connection management
ARP spoofing
Resetting connection
Watching connection
MAC address discovery
Sniffing TCP traffic
EC-Council
Hacking Tool: TTY Watcher

~
TTY watcher is a utility to monitor and control users on

a single system
Anything the user types into a monitored TTY window

will be sent to the underlying process. In this way, you
are sharing a log in session with another user
After a TTY has been stolen, it can be returned to the

user as though nothing happened
(Available only for Sun Solaris Systems)
EC-Council
Hacking Tool: IP Watcher

http://engarde.com
~IP
watcher is a commercial session
hijacking tool that allows you to

monitor connections and has active
facilities for taking over a session
~The
program can monitor all
connections on a network, allowing

an attacker to display an exact copy
of a session in real-time, just as the
user of the session sees the data
EC-Council
Session Hijacking Tool: T-Sight

http://engarde.com
~ T-Sight
is a session hijacking tool

for Windows
~ With
T-Sight, you can monitor all of

your network connections (i.e.
traffic) in real-time, and observe the
composition of any suspicious
activity that takes place
~ T-Sight
has the capability to hijack

any TCP sessions on the network
~ Due
to security reasons, Engarde

Systems licenses this software to
pre-determined IP addresses
EC-Council
Session Hijacking Tool: T-Sight
Session Hijacking is
simple by clicking this
button
EC-Council
Remote TCP Session Reset Utility
EC-Council
Paros HTTP Session Hijacking Tool

~
Paros is a man-in-the-middle proxy and

application vulnerability scanner
It allows users to intercept, modify, and

debug HTTP and HTTPS data on-the-fly
between a web server and a client browser
It also supports spidering, proxy-chaining,

filtering, and application vulnerability
scanning
EC-Council
Paros Untitled Session
EC-Council
Paros HTTP Session Hijacking Tool
Target Server in
NYC
Victim in Boston
The victims
machine is
infected with
trojan which sets
the proxy of IE to
attackers
machine
Hacker intercepts and

injects his own packets
since http traffic is
routed through him
IP: X.2.2.2
Hacker in Russia
EC-Council
Dangers Posed by Hijacking

1.
Most computers are vulnerable (using TCP/IP)
2.
You can do little to protect against it unless you switch to another

secure protocol
3.
Hijacking is simple to launch
4.
Most countermeasures do not work unless you use encryption
5.
Hijacking is dangerous (theft of identity, fraud, and so on)
EC-Council
Protecting against Session Hijacking
1.
Use encryption
2.
Use a secure protocol
3.
Limit incoming connections
4.
Minimize remote access
5.
Educate the employees
EC-Council
Countermeasure: IP Security
~
Is a set of protocols developed by

the IETF to support the secure
exchange of packets at the IP layer
Deployed widely to implement

Virtual Private Networks (VPNs)
IPsec supports two encryption

modes:
Transport
Tunnel
The sending and receiving devices
must share a public key
EC-Council
IP-SEC
EC-Council
What happened next?

Jason Springfield, an Ethical Hacker was called in to
investigate the matter. Investigations revealed few
alarming facts:
A disgruntled employee of AgentonWeb seemed to be the
culprit behind the act
The disgruntled employee hijacked Daniels session while he
was uploading the news update
This event revealed the risk of outsourcing the web-hosting
service to a third party service provider without proper check
EC-Council
Summary
~
In the case of a session hijacking, an attacker relies on the

legitimate user to connect and authenticate, and will then take over
the session
In a spoofing attack, the attacker pretends to be another user or

machine to gain access
Successful session hijacking is extremely difficult, and is only

possible when a number of factors are under the attacker's control
Session hijacking can be active or passive in nature depending on

the degree of involvement of the attacker
A variety of tools exist to aid the attacker in perpetrating a session

hijack
Session hijacking could be dangerous, and therefore, a need for

implementing strict countermeasures
EC-Council
EC-Council
EC-Council
EC-Council

CEH v5 Module 10 Session Hijacking PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CEH v5 Module 10 Session Hijacking PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Ethical Hacking

Difference between Spoofing and Hijacking

Steps to Conduct a Session Hijacking Attack

Types of Session Hijacking

Performing Sequence Number Prediction

Session Hijacking Tools

Countermeasures to Session Hijacking

Spoofing vs. Hijacking

Session Hijacking Steps

Session Hijacking Tools

Types Of Session Hijacking

What is Session Hijacking?

TCP session hijacking is when

Since most authentication

Understanding Session Hijacking

Understanding the flow of

Understanding the security

Familiarizing with the basic

Spoofing vs. Hijacking

In a spoofing attack, an attacker does not actively take

He pretends to be another user, or machine to gain access

Spoofing vs. Hijacking (contd)

With a hijacking, an attacker takes over an existing

Subsequently, the attacker takes over the session

John logs on to the server

Attacker predicts the sequence and

Steps in Session Hijacking

Place yourself between the victim and the

Monitor the flow of packets

Predict the sequence number

Kill the connection to the victims machine

Take over the session

Start injecting packets to the target server

Types of Session Hijacking

In an active attack, an attacker finds an active session and

With a passive attack, an attacker hijacks a session, but sits

The 3-Way Handshake

TCP Concepts 3-Way Handshake

The two machines have successfully established a session

Sequence numbers are important in providing a reliable

Sequence numbers are a 32-bit counter. Therefore, the

Sequence numbers are used to tell the receiving

Therefore, an attacker must successfully guess the

Sequence Number Prediction

After a client sends a connection request (SYN) packet to the

This sequence number is predictable; the attack connects to a

If the source IP address is used for authentication, then the

TCP/IP hijacking is a hacking technique that

The victim's connection hangs, and the hacker

To launch a TCP/IP hijacking attack, the

The target and the victim machines can be

RST hijacking involves injecting an authentic-looking

Spoof the source address and predict the

RST Hijacking Tool: hijack_rst.sh

Programs that Perform Session

Hacking Tool: Juggernaut

Juggernaut is a network sniffer that can be used

Juggernaut can be set to watch for all network

The objective of this program is to provide

The attacker can see all of the sessions and

Hacking Tool: Hunt

Hunt is a program that can